Configure the Linux-PAM using SSSD

Configure the Oracle Identity Cloud Service Linux Pluggable Authentication Module (PAM) on Linux using the SSSD service.


The following prerequisites must be met before proceeding with the configuration.
  • The SSSD service should be installed. If it is not installed, install via sudo yum install sssd.
  • The service must be configured to start when the system reboots. You can perform this configuration via sudo chkconfig sssd on.
  • The property SELINUX must be set as permissive or disabled in file /etc/selinux/config. If it is not set, then set SELINUX=permissive or SELINUX=disabled.
  • Restart Linux to incorporate the above changes.
  1. Verify the /etc/sssd/sssd.conf file exists, has 600 permission, and is owned by the root user. If the file does not exist create it as follows and run chmod 600 /etc/sssd/sssd.conf.


    config_file_version = 2
    services = nss, pam
    domains = proxy_proxy
    fallback_homedir = /home/%u
    default_shell = /bin/sh
    auth_provider =  proxy
    id_provider = proxy
    proxy_lib_name = oracle_cloud
    proxy_pam_target = sssd_proxy_oracle_cloud
    enumerate =  false
    cache_credentials = true
    debug_level = 5
    min_id = 500
    Optionally, you can configure email addresses as the SSO usernames. To do this, add the line in bold (below) to the /etc/sssd/sssd.conf file to specify the regular expression.
    re_expression = (?P<domain>[^\\]*?)\\?(?P<name>[^\\]+$)
    auth_provider =  proxy
    id_provider = proxy
  2. Verify the /etc/pam.d/sssd_proxy_oracle_cloud file exists and is owned by the root user. If the file does not exist then create it as the root user and add the following:

    /etc/pam.d/sssd_proxy_oracle_cloud file

    auth          required
    account       required
    password      required
    session       required
  3. Edit the /etc/pam.d/sshd and add the pam_oracle_cloud module:


    auth sufficient
    #Note: the above has to be added before the following line:
    auth include password-auth
  4. Edit the /etc/ssh/sshd_config to configure sshd to allow the use of Multi-Factor Authentication:


    #Search for the ChallengeResponseAuthentication property and set it to yes
    ChallengeResponseAuthentication  yes
  5. Edit the /etc/opc.confg to allow the plugin to interact with Oracle Identity Cloud Service:


    #This is sample format of opc.conf file, please use the correct information to configure this file.
    #Enter the Oracle Identity Cloud Service tenancy base url.
    base_url = https://identity-cloud-service-instance-url
    #There is no need to change value of scope.
    scope = urn:opc:idm:__myscopes__
    #Enter the location of the wallet.
    wallet_location = /etc/opc-wallet
    #Enter the log level, this is optional and the default is 0, which means no log. 0 - None, 1 - Error, 2 - Info, 3 - Debug.
    log_level = 0
    #Enter the log file path, this is optional and defaults to /var/log/opc/pam_nss.log
    log_file_path = /var/log/opc/pam_nss.log
    #Enter the value for proxy usage to connect to Oracle Identity Cloud Service. Set the value to 1 to use a proxy and 0 to not use a proxy.
    #Enter the information below if use_proxy=1
    #Enter the proxy url
    #Enter the proxy port
    #Enter the username to connect to the proxy url.
    #Enter the password of username to connect proxy url.
  6. Restart sssd and sshd:
    • authconfig --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --update
    • service sshd restart
    • service sssd restart